Explore Content

The industry’s attack surface is expanding as retailers of every shape and size look to boost sales and improve efficiency by harnessing the latest data-driven technologies. Use of big data and sophisticated data warehouse models is growing fast. Also, many retailers are getting into the healthcare and pharmacy businesses, and as such are holding more sensitive data than ever before. Meanwhile, there is a steady shift from cash payments to electronic card payments in developing countries.

Insider threats in retail are also rising. Employee turnover is high, and the typical retailer has many points of insider vulnerability, including seasonal and traditional employees, as well as numerous stores and distribution centers. Many retailers also outsource some of their business processes to third parties.

Trends such as these are giving rise to a new breed of criminals. Instead of stealing money or physical goods from a store or warehouse, these cyber-criminals focus on stealing information -- especially the valuable cardholder data that flows between consumers and retailers.

System access by employees and third-party contractors should be tied to job functions and carefully planned and monitored. Access to specific data fields should be carefully planned as well due to the threat of data aggregation (creating sensitive data by piecing together seemingly benign data from various data sources).

Point-of-sale (POS) systems are an increasingly popular point of attack for acquiring transaction data, giving cyber-criminals immediate access to valuable information such as card numbers and personal identification numbers (PINs)(case #1).

Traditional data sources within the organization are also vulnerable. These include databases containing customer information, as well as intellectual property valuable to competitors, such as planned future store locations and demographic data (e.g., average income or age in a shop’s region).

Some attacks use advanced technology that take advantage of weaknesses in the IT infrastructure (case #2). Other attacks are as simple as an insider copying data to portable media and then walking out the door (case #3).

Whether an attack is simple or sophisticated, the results can be disastrous. Retailers today must understand the potential threats and take aggressive action to protect themselves and their customers from harm.

Hackers steal card data on millions of customers

Organization

A large retailer that sells a variety of food and non-food products.

Scenario

Attackers installed malware on the retailer’s point-of-sale (POS) systems. The infected systems recorded the data for every card swiped through the machine, including PINs. The malware was also capable of spreading itself throughout the organization, eventually infecting millions of POS systems within the retailer and collecting vast amounts of credit card data that was later resold for illicit purposes.

Attackers and motivation

The attackers were identified as organized criminals motivated by the potential financial gain from selling huge amounts of credit card information.

Techniques used

This attack used malware that can be purchased on the criminal market. The attackers installed the malware into the retailer’s environment, where it spread itself onto point-of-sale systems that could then be used to extract confidential data and create other backdoors into the retailer’s network.

Business impact

The attack received worldwide media coverage, severely damaging the company’s brand and cutting into sales. Financial impacts included: a drop in the company’s share price over the following quarter and into the next fiscal year; heavy fines; and the cost of offering free credit monitoring to millions of customers.

Case 1

Weak wireless security provides an open door to attack

Organization

A large retailer that sells apparel and home fashions.

Scenario

Attackers were able to exploit weak security on one of the retailer’s wireless networks, which allowed them to intercept card transactions and access the organization’s central database. The database, which was not encrypted, contained personal information and credit card details. As a result, the attackers were able to simply download the database and start selling the stolen information through a wide variety of channels.

Attackers and motivation

The attackers were cyber-criminals motivated by the financial gain of selling personal and cardholder data.

Techniques used

Several different techniques for attacking wireless networks were used to gain access to the network. Once inside, the attackers were able to monitor and intercept network data that eventually gave them access to the database of confidential information.

Business impact

The retailer’s reputation took a big hit due to the large amount of personal identifiable and credit card information that was lost. This had a significant financial impact, including fines, settlement costs and lost sales.

Case 2

Inside job goes undetected for years

Organization

A large retailer that sells communication-related products and services.

Scenario

Over the course of several years an employee of the retailer was able to obtain more than 8 million pieces of sensitive data, including personal information and classified documents. The employee sold the information to the highest bidders, which often included criminal organizations.

Attackers and motivation

The attacker was an employee who had worked at the retailer for many years. The employee was motivated by the financial gain from selling confidential information.

Techniques used

This incident illustrates that a very severe breach does not require sophisticated attack patterns. In this particular case, the attacker had direct access to confidential information and simply copied it onto portable media and took it home at the end of the day.

Business impact

The magnitude and especially the duration of the attack damaged the company’s reputation and share price. Other impacts included financial compensation for customers affected by the breach, as well as lasting mistrust of employees.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms.